Package io.helidon.webserver.cors
Use CorsSupport and its CorsSupport.Builder to
add CORS
handling to resources in your application.
Because Helidon WebServer does not use annotation processing to identify endpoints, you need to provide the CORS information for your application another way. You can use Helidon configuration, the Helidon WebServer CORS API, or a combination.
Configuration
Format
CORS configuration looks like this:enabled: true # the default allow-origins: ["http://foo.bar", "http://bar.foo"] allow-methods: ["DELETE", "PUT"] allow-headers: ["X-bar", "X-foo"] allow-credentials: true max-age: -1
Finding and applying CORS configuration
Although Helidon WebServer prescribes the CORS config format, you can put it wherever you want in your application's configuration file. Your application code will retrieve the CORS config from its location within your configuration and then use that config node to prepare CORS support for your app. For example, if you set up this configurationnarrow: allow-origins: ["http://foo.bar", "http://bar.foo"] allow-methods: ["DELETE", "PUT"] allow-headers: ["X-bar", "X-foo"] allow-credentials: true max-age: -1 wide: enabled: false allow-origins: ["*"] allow-methods: ["*"] just-disabled: enabled: false
in a resource called myApp.yaml then the following code would apply it to your app:
Config myAppConfig = Config.builder().sources(ConfigSources.classpath("myApp.yaml")).build();
Routing.Builder builder = Routing.builder();
myAppConfig.get("narrow").ifPresent(c -> builder.any(
"/greet", CorsSupport.create(c),
(req, resp) -> resp.status(Http.Status.OK_200).send()));
myAppConfig.get("wide".ifPresent(c -> builder.get(
"/greet", CorsSupport.create(c),
(req, resp) -> resp.status(Http.Status.OK_200).send("Hello, World!")));
PUT for example) and more liberal CORS
behavior for GET.
The Helidon WebServer CORS API
You can define your application's CORS behavior programmatically -- together with configuration if you want -- by:- creating a
CrossOriginConfig.Builderinstance, - operating on the builder to prepare the CORS set-up you want,
- using the builder's
build()method to create theCrossOriginConfiginstance, and
The next example shows creating CORS information and associating it with the path /cors3 within the app.
CrossOriginConfig corsForCORS3= CrossOriginConfig.builder()
.allowOrigins("http://foo.bar", "http://bar.foo")
.allowMethods("DELETE", "PUT")
.build();
Routing.Builder builder = Routing.builder()
.register("/myapp",
CorsSupport.builder()
.addCrossOrigin("/cors3", corsForCORS3) // links the CORS info with a path within the app
.build(),
new MyApp());
Notice that you pass two services to the register method: the CorsSupport instance and your app
instance. Helidon WebServer will process requests to the path you specify with those services in that order.
Also, note that you have to make sure you use the same path in this API call and in your MyApp service if you adjust
the routing there.
Invoke addCrossOrigin multiple times to link more paths with CORS configuration. You can reuse one
CrossOriginConfig object with more than one path if that meets your needs.
Remember that the CORS protocol uses the OPTIONS HTTP method for preflight requests. If you use the handler-based
methods on Routing.Builder be sure to invoke the options method as well (or {code any}) to set up routing for
OPTIONS requests.
Each CorsSupport instance can be enabled or disabled, either through configuration or using the API.
By default, when an application creates a new CorsSupport.Builder instance that builder's build() method will
create an enabled CorsSupport object. Any subsequent explicit setting on the builder, either expressly set by an
enabled entry in configuration passed to CorsSupport.Builder.config or set by invoking
CorsSupport.Builder.enabled follows the familiar "latest-wins" approach.
-
ClassDescriptionContainer class for CORS related annotations and types.Whether to allow credentials.Allowed headers.Allowed methods.Allowed origins.Enable support for CORS for an endpoint method (such as an OPTIONS handler) and allow default CORS behavior (any origin, any header, any method, no expose headers), do not allow credentials, and max age is set to 1 hour.Expose headers.Max age.Configuration of CORS feature.Fluent API builder for
CorsFeature.CorsConfig.BuilderBase<BUILDER extends CorsConfig.BuilderBase<BUILDER,PROTOTYPE>, PROTOTYPE extends CorsConfig> Fluent API builder base forCorsConfig.Generated implementation of the prototype, can be extended by descendant prototype implementations.Deprecated, for removal: This API element is subject to removal in a future version.Adds CORS support to Helidon WebServer.Deprecated, for removal: This API element is subject to removal in a future version.this class should never be used directly, and will be removed, you can get an instance ofCorsFeatureeither fromServiceRegistry, or through one of the feature's static factory or builder methods; paths configured in config are registered first, before paths configured through service registryConfiguration of CORS for a specific path.Fluent API builder forCorsPathConfig.CorsPathConfig.BuilderBase<BUILDER extends CorsPathConfig.BuilderBase<BUILDER,PROTOTYPE>, PROTOTYPE extends CorsPathConfig> Fluent API builder base forCorsPathConfig.Generated implementation of the prototype, can be extended by descendant prototype implementations.Deprecated, for removal: This API element is subject to removal in a future version.CORS configuration is centralized to modulehelidon-webserver-corswithio.helidon.webserver.cors.CorsFeatureeither fromServiceRegistry, or through one of the feature's static factory or builder methods; paths configured in config are registered first, before paths configured through service registry; this class will be removed in a future version of HelidonFluent API builder forCorsSupport.
CorsFeature; additional protected paths can be specified usingCorsConfig.BuilderBase.addPath(CorsPathConfig), or by creating aServiceRegistrythat provides an instance ofCorsPathConfig.